Privacy Policy

Version 1.4 — Last updated: June 4, 2026

This Privacy Policy describes how BAGHOLDER ("we," "us," or "our") collects, uses, and protects your information when you use our mobile application.

Information Stored on Your Device

BAGHOLDER stores the following data locally on your device using encrypted storage (iOS Keychain / Android Keystore for secrets, an encrypted local database for structured data):

Your bags and token lists
Purchase history and pending orders
Blocked-attempt audit log (kept for 365 days for support purposes; a structured mirror is also stored on our server — see below)
Portfolio snapshots
Monthly activity summaries
Diagnostic logs
State of residence
Date of birth verification status
Wallet address
Verified mobile phone number and the timestamp of its last verification (stored locally so we don't have to re-ask you for every buy — see "Third-Party Services" below for how it's used)
App settings and preferences
Disclosure and terms acceptance records

Other than the blocked-attempt mirror noted above, this data is NOT transmitted to our servers and remains exclusively on your device.

Encrypted Cloud Backup

To protect against data loss (device replacement, app reinstallation, or accidental storage clearing), BAGHOLDER automatically creates an encrypted backup of your on-device data. This backup is encrypted on your device using a key derived from your wallet before transmission. We store the encrypted data on our server but cannot decrypt, read, or access its contents. Only your wallet can unlock the backup.

The backup includes: purchase history, bag configurations, app settings, and portfolio snapshots. On reinstall or device change, signing in recovers your wallet, which automatically decrypts and restores your data.

You can delete your backup at any time by deleting your account in Settings.

Information Stored on Our Server

Our server stores the following data in a secured database:

Payment profile (wallet address, transaction volume)
Payment charge records (Coinbase session ID, charge amount, fee amount, wallet address, chain, status, timestamp)
Gas funding records (wallet address, transaction hash, native-token gas amount, chain, timestamp)
Fee sweep records (chain, amount, transaction hash, fee type, timestamp) retained for 7 years for tax purposes
Per-token swap outcomes (chain, symbol, amount, DEX used, success/failure reason, transaction hash)
Cached wallet token balances (so we do not pay third-party RPC providers for repeat reads of the same on-chain data)
Solana ATA membership cache (which token accounts your Solana wallet has, so we charge the correct account-creation rent)
Per-state activity aggregates and snapshots: rolling-12-month totals of purchase volume, platform fees, purchase count, and active-user count, broken out by the state code recorded on each purchase. Used to monitor compliance with state-level thresholds such as California Financial Code §3103(b)(9). A snapshot of these aggregates is persisted to a separate table approximately once per calendar quarter, to provide a historical record of what we knew when. The aggregates and snapshots do not contain wallet addresses or individual purchase records — only state-level totals.
Verified wallet binding pair if you bind a Solana wallet (EVM address ↔ Solana address, signed proof)
Wallet-to-account binding (a record linking each wallet address you sign in with to the account identifier issued by our wallet provider, Privy). Used to enforce per-account limits described in the Terms of Service. No additional personal information is collected through this binding.
Suspended-wallet list (wallet addresses we have refused service to, with a short text reason and timestamp). Used to enforce the suspension provisions in the Terms of Service. Suspension blocks new purchases through the App only; suspended accounts retain the ability to export their private keys through the wallet provider's hosted page.
Anonymized usage events (e.g., app opens, feature usage, purchase outcomes) associated with your wallet address only and automatically deleted after 1 year
Blocked-attempt audit log mirror (chain, amount requested, token symbols, block reason, timestamp) — required to demonstrate compliance with state eligibility, age, and limit rules. Retained for the regulatory window (no automatic deletion).
Token registry liquidity events (token de-list/re-list history with reason — used to power the "this token was removed" message in the app)
Shared bag configurations (token lists only, no personal data) if you choose to share a bag via the sharing feature. Unused shared bags are automatically deleted after 1 year
Optional username + the encrypted cloud backup of your local app data if you opt in — encryption key is derived from your wallet signature and the server cannot decrypt it
Onboarding attestation records (see below) — pre-wallet events fired during signup at the age / state / legal- document gates. Keyed by a per-device fingerprint, not by your wallet. Retained for 1 year.

Onboarding attestation records

During signup, before you have a wallet, the App fires events to our server to record outcomes at each gate (age verification, state selection, and legal-document review). These records exist so that we can apply the safeguards described below and so that we can produce an audit trail if a regulator ever asks how we screened our users. The events we record:

Age verification outcome — pass or fail, with an age band (under 13, 13–15, or 16–17) on fail, plus the attempt number. We do not record your date of birth — only the band the attempted age fell into.
State attestation outcome — pass or fail, with the state code you attested on fail, so a NY resident who attempts to attest NY before correcting to a supported state shows in the audit trail as having attested NY first.
Legal-document review events — that you opened the Disclosure, Terms, or Privacy screen; how long you spent on it; whether you scrolled to the bottom; and whether you accepted or backed out without accepting.

Each event is keyed by a per-device fingerprint — a random UUID issued by our server on first launch, stored in your device's secure storage. The fingerprint cannot be linked to your wallet, name, email, or any identity on our side; it exists only so we can recognize repeat attempts from the same install. The fingerprint resets if you reinstall the App on Android (iOS Keychain persists across reinstalls).

We also capture the request IP address at the moment of state attestation. This is used solely as a passive cross-reference for the audit trail — we do not use IP to block, throttle, or geolocate you in real time, and we do not display it back to you anywhere in the App. IP is recorded only on the attestation event itself, not on every subsequent App request.

We treat the captured IP address as a signal, not a proof. Many factors — VPNs, mobile carrier NAT (millions of mobile users share the same egress IP through their carrier), corporate networks, school networks, IPv6 transition, Tor — make the IP address of any request an unreliable indicator of the user's actual physical location. We do not claim, in our own analysis or in any defense we would offer to a regulator, that the IP address proves where you live or where you were when you attested. Your self-attested state of residence is the primary record; the IP at attestation is one secondary cross-reference for the audit trail. If you later update your state of residence (see Settings → State of Residence), we record a separate state_changed event with the prior and new state codes, preserving the full history of every state you have attested.

Soft-block. If the same device exceeds a small number of rejection attempts at the age or state gate within a short window, the App will display a "we can't verify your eligibility right now, please try again later" message and temporarily disable further attempts. This is a friction control to prevent rapid retry-with-different-input attacks; legitimate users who fat-finger a digit are not affected.

These records are retained for one year and are never linked to your wallet, payment, or order records, even after you have a wallet.

These records are necessary for payment processing, service improvement, regulatory compliance, and feature functionality. They do NOT include your name, email address, phone number, or any other personally identifiable information (PII).

Important: your phone number and email address DO pass through our server when you make a buy — they are forwarded to Coinbase as required by their payment API. The transit is encrypted (HTTPS) and the values are discarded immediately after they're sent to Coinbase. No row of any database on our server contains your phone or email at rest.

Information We Do NOT Collect

BAGHOLDER does not store on any server:

Private keys or wallet seed phrases
Your name
Your email address (passes through in-transit on each buy only — see above)
Your phone number (passes through in-transit on each buy only — see above)
Date of birth (only the age band on a rejected attempt — see "Onboarding attestation records" above)
Biometric data (device authentication returns a boolean only)
Bank account credentials or login information
Social Security numbers or government IDs
Location data (your IP address briefly touches our server during each buy and is forwarded to Coinbase for fraud-risk scoring — we do not log or store it; the single exception is the attestation-event audit trail described above, which is never linked to your wallet, payment, or order records)

Third-Party Services

BAGHOLDER integrates with third-party services that process your data under their own privacy policies:

Coinbase (payments and market data)

Coinbase processes USD-to-USDC conversion via their embedded onramp API and provides public price chart data. On every buy we send Coinbase your wallet address, your verified US phone number, your email address, your IP address, the amount, and the destination chain. Coinbase uses these for fraud prevention, identity verification, receipt delivery, and tax reporting under their own privacy policy. We receive only confirmation of successful USDC delivery. No user data is shared for market data requests.

Tax reporting: BAGHOLDER is a non-custodial software tool and does not prepare or file tax forms on your behalf. Buying cryptocurrency through our integrated onramp is generally not itself a taxable event under current US tax law, but each subsequent token swap or sale can be a taxable event for which you are responsible. Any tax forms you receive related to your crypto activity will come from a third party (such as an exchange where you eventually sell), not from BAGHOLDER. Use the Activity CSV export in the app's Settings to share your purchase history with a qualified tax professional. Tax rules vary by jurisdiction and change over time — always consult a qualified tax advisor for your specific situation.

See: coinbase.com/legal/privacy

Firebase Phone Auth (phone verification SMS)

When you verify your phone, Google's Firebase service sends the SMS and returns proof to us that you control the number. Firebase sees your phone number; we receive only the verification result. The phone is NOT visible to our server in this step. Firebase uses the number for verification and abuse prevention.
See: firebase.google.com/support/privacy

Privy (wallet creation)

Privy creates and manages your non-custodial embedded wallet using advanced cryptographic techniques. Privy may collect your email address or social login credentials for authentication. We do not receive or store these credentials.
See: privy.io/privacy

Firebase Crashlytics (crash reporting)

We use Google's Firebase Crashlytics for crash reporting. When the app crashes, Crashlytics sends Google a crash report that includes a Crashlytics Installation UUID (an anonymous identifier Google generates per app install — not linked to any account or wallet on our side), your IP address (used by Google for geographic crash distribution and discarded afterward), the stack trace and exception details, device model, and OS version. We strip wallet addresses and Solana addresses from error messages before sending. Crash reports do NOT contain your name, email, phone, or wallet address.
See: firebase.google.com/support/privacy

Blockchain infrastructure providers (RPC)

Third-party providers relay blockchain data between your wallet and the network. They may see your wallet address in transaction requests. No personal data is shared beyond the wallet address.

Jupiter (Solana DEX aggregator)

For purchases on Solana, our server sends your swap parameters (input token, output token, amount, your wallet address) to Jupiter's public aggregator API so it can return a routed swap transaction your wallet then signs. Jupiter sees only the wallet address and swap parameters.
See: jup.ag/legal/terms-of-use

CoinGecko (market data)

We fetch public cryptocurrency market data from CoinGecko. No user data is shared with CoinGecko.

Data Retention

Local data: stored until you delete your account or uninstall the app.
Server payment records, gas funding records, and fee sweep records: retained for 7 years for tax and accounting purposes.
Payment profiles: retained while your wallet is active.
Anonymized usage events: retained for 1 year, then automatically deleted.
Shared bag configurations: automatically deleted after 1 year of inactivity.
Blocked-attempt audit log: retained on your device for 365 days, then automatically pruned.

Your Rights

You have the right to:

Export your data at any time from Settings.
Delete all local data by using the Delete Account feature in Settings. Upon deletion, all local data is permanently erased and your wallet session is disconnected.
View your transaction history and monthly summaries at any time within the app.
Request deletion of server-stored data by contacting us at support@getbagholder.com.

California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

Right to know what personal information we collect and how it is used.
Right to delete your personal information.
Right to opt out of the sale of your personal information. We do NOT sell your personal information.
Right to non-discrimination for exercising your rights.
Right to correct inaccurate personal information.
Right to limit use of sensitive personal information. We do not collect sensitive personal information.

To exercise these rights, contact us at support@getbagholder.com.

Geographic Availability

BAGHOLDER is available in 44 U.S. states. BAGHOLDER is not available in New York, Connecticut, Louisiana, Vermont, Minnesota, New Mexico, or the District of Columbia.

Children's Privacy

BAGHOLDER is not intended for anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information.

Security

We use industry-standard security measures to protect your data, including:

Encrypted local storage (iOS Keychain / Android Keystore)
HTTPS for all server communication
Advanced cryptographic key management via our wallet provider
API keys stored server-side only, never on your device

No system is 100% secure. You are responsible for securing access to your device.

Changes to This Policy

We may update this privacy policy from time to time. The current version is always available in the app under Settings. If we make material changes, you will be asked to review and accept the updated policy.

Contact Us

If you have questions about this privacy policy, contact us at:
support@getbagholder.com
getbagholder.com